At this point it is messing with my connection when I don't want it to. Who promoted it to be the safekeeper of all my internet? If I had the sources and the compilation environment, I would turn it off. This site is my own site and it is my own certificate. It is just plain intrusive and patronizing that it decides to know better than me, when it is my computer and I am free to do with it as I like.
Next you know you get browsers that won't connect to porn sites because it's immoral.
Or Opera that won't let you visit Mozilla.org because it's competition.
Get rid of that madness.
When you get the certificate error it hardly provides any information until you clock on the globe, then it says the connection is "Not protected" and then just says that the certificate is not trusted. The whole idea of trusted certificates is madness anyway because it says the government is to be trusted, when it's not. But regardless, this is my connection and I am to do with it what I want. I value freedom, and power, and apparently Opera doesn't want users to have that.
All the while I know for a fact that the certificate is my own (let's say I am 99.9999999999999999999999999999999999999999999999% certain) but here is another problem.
I just generated another certificate using a common method on Debian OS, that is recommended everywhere. Or at least reported. The certificate is imported into Opera as a root certificate and Squid uses it to generate fake certificates based on websites that have real ones. Squid is capable of checking the trustworthiness if I want to; I am just delegating some task to Opera in the sense that it has to 'trust' my fake certificate and my self-signed root certificate provider for that fake certificate.
However, it fails because it says the certificate (that it is presented in the end) is invalid.
I have no clue as to why it would be invalid. The Squid version is a bit older (3.4) but Firefox accepts the certificate no problems. The version I have installed on Windows (a slight tad older) also accepts it. I am now speaking of a Linux client (version 31.0.1889.174) and this version won't accept the certificate, but I can't be sure becaus the version of Squid I have on Windows is 3.5.
But the main problem is that Opera doesn't even present you a choice (in case of the untrusted certificate). It just cancels the connection. Period. It does not allow you to add an exception, as if its opinion on your computer is more important than your own.
It does not allow you to download the certificate and install it on your own. It doesn't allow anything. It is just plain obnoxious and plain intrusive.
It's like an intruder on my computer, and then it presents safety????.
If you intrude on someone's life, you cannot go and claim to be a protector. You meddle with someone's life in order to prevent another from meddling with his/her life? Doesn't that make you the crook?.
It's hypocrisy, that's what it is.
All the while Opera doesn't display the name of the signer in the address bar like some browsers do.
That means that If I have a "valid" (verisign, whatever) signed certificate, and my site impersonates another site, Opera will accept it without cause or complaint and tell me my connection is secure.
There are always or there have been exploits to fake the url in someone's browser, and there may be a DNS spoofing attempt (such as when using a public hotspot). Any hacker giving me free wifi can present me a fake website that looks just like the real one and Opera will not give any problems.
Actually normally that only happens when you get redirected to a different domain. The domain has to match the certificate. Regardless. It is generally providing as sense of false safety.
It is also providing and promoting a sense of false insecurity, and people are habitually trained to feel insecure. A general computer user -- because of the lack of knowledge, and information presented, regardless -- cannot interpret the certificate error message.
Many users run into certificate errors plainly because (due to some reason) their computer clock is set wrong. "You may not continue" then spells disaster, and their computer is working against them instead of for them.
The same crap happens with Java recently. Using Java in webapplications/applets has become virtually and practically impossible. Not that it was ever a nice technology, but some sites still use it and I cannot use them anymore.
Browsers f up too much.
I just wish there was a --no-check-certificate option like in wget.
The browser's role is to inform, not to enforce. And informing it does very badly. If it did, it would say something like:
"Opera cannot verify the source of your connection. That means the certificate was not signed by a trusted authority. The certificate is self-signed, and presented as follows:
If this is a high-profile website, you can be certain that the certificate would ordinarily be signed by a trusted-authority, and you should not continue. However, many people use self-signed certificates for their own purposes, because even though the end-point can not be verified against a real attacker, the connection is still encrypted and protected against general eaves-dropping."
So you are plain wrong that the certificate is garbage. It provides a function, namely making it extremely hard for general observers such as ISPs and governmental agencies, or even !!! tor endpoints from reading your plain-text data.
Anyone wanting to perform data mining on these connections would have to generate on-the-fly fake certificates for every certificate that comes along prompting the security warning for every single site visited; a sure sign that something is amiss. This is not a form of data mining that can take place in reality as it stands.
Man in the middle attacks are extremely rare. They require a hacker being in the position to hijack your connection; ordinarily this only happens with wifi access, because it is so inherently insecure. It can be done by a proxy server; it can be done by an ISP, it can be done by agencies or agents that have access to important routers. It can be done if your DNS is getting spoofed. On the other hand, connection monitoring is extremely common.
When you connect to an unkown host via SSH, it will say "You're connecting to a new host we don't know, are you sure you want to continue?" And when you say yes, it will add the server's public key to your store of authorized_hosts. Actually the file on Linux is called known_hosts. Then, should the host change, you would get another warning, which would indicate that something is amiss. It would be completely self-defeating if every ssh client would start issueing unverifiable certificate errors.